Solaris 10 as router using ipfilter and nat

Hi,
I installed Solaris 10 on a second disk on an Ultra 5, but have no
success on using
ipfilter with NAT.
I have it working on the first disk with Solaris 9 and ipfilter 3.4.35.
I have pfil on both interfaces (hme0 internal and qfe0
external-internet) and ipfilter enabled. I used the working rule sets
from Solaris9 and have ip-forwading enabled. IPFilter is working on the
external interface, but none of the hosts on the internal network can
connect through the router to the internet, but they can ping both
interfaces.
I had the same problem with Solaris 9 using ipfilter 4.x and had to go
back to 3.4.35.
ipfstat shows all rules are loaded and ipnat -l shows the rules, but no
connections. ndd -get /dev/ip ip_forwarding returns 1.
Following are my rules:
ipf.conf
lock in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick proto tcp all with short
block in log quick proto icmp all with frag
block in log quick on qfe0 from 10.0.0.0/8 to any
block in log quick on qfe0 from 127.0.0.0/8 to any
block in log quick on qfe0 from 169.254.0.0/16 to any
block in log quick on qfe0 from 172.16.0.0/12 to any
block in log quick on qfe0 from 192.0.2.0/24 to any
block in log quick on qfe0 from 192.168.0.0/16 to any
block in log quick on qfe0 from 204.152.64.0/23 to any
block in log quick on qfe0 from 224.0.0.0/3 to any
block in log quick on qfe0 from aaa.aaa.aaa.0/24 to any
block in log quick on qfe0 from any to aaa.aaa.aaa.0/32
block in log quick on qfe0 from any to aaa.aaa.aaa.255/32
block in log on qfe0 all
block out quick on qfe0 proto tcp/udp from any port 136 >< 140 to any
block out quick on qfe0 proto tcp/udp from any to any port 136 >< 140
pass out quick on qfe0 proto tcp all flags S/SA keep state keep frags
pass out quick on qfe0 proto udp all keep state keep frags
pass out quick on qfe0 proto icmp all keep state keep frags
pass out quick on qfe0 all
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on hme0 all
pass out quick on hme0 all
ipnat.conf:
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port ftp ftp/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 7070
raudio/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 proxy port 1720
h323/tcp
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32 portmap tcp/udp auto
map qfe0 aaa.aaa.aaa.0/24 -> bbb.bbb.bbb.bbb/32
aaa.aaa.aaa.aaa = internal network
bbb.bbb.bbb.bbb = external
My routeadm statement shows:
Configuration Current Current
Option Configuration System State
IPv4 forwarding enabled enabled
IPv4 routing enabled enabled
IPv6 forwarding disabled disabled
IPv6 routing disabled disabled
IPv4 routing daemon "/usr/sbin/in.routed"
IPv4 routing daemon args ""
IPv4 routing daemon stop "kill -TERM `cat /var/tmp/in.routed.pid`"
IPv6 routing daemon "/usr/lib/inet/in.ripngd"
IPv6 routing daemon args "-s"
IPv6 routing daemon stop "kill -TERM `cat /var/tmp/in.ripngd.pid`"
Any suggestion what more checks I should do or what additional information is needed.
Regards,
Horst

Similar Messages

Howto: Zones in private subnets using ipfilter's NAT and Port forwarding

This setup supports the following features:
* Requires 1 Network interface total.
* Supports 1 or more public ips.
* Allows Zone to Zone private network traffic.
* Allows internet access from the global zones.
* Allows direct (via ipfilter) internet access to ports in non-global zones.
(change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
Network setup:
iprb0 65.38.103.1/24
defaultrouter 65.38.103.254
iprb0:1 192.168.1.1/24 (in global zone)
Create a zone on iprb0 with an ip of 192.168.1.2
### Example /etc/ipf/ipnat.conf
# forward from a public port to a private zone port
rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
# force outbound zone traffic thru a certain ip address
# required for mail servers because of reverse lookup
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
map iprb0 192.168.1.2/32 -> 65.38.103.1
# allow any 192.168.1.x zone to use the internet
map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
Create /etc/init.d/zone_route_hack
Link this file to /etc/rc3.d/S99zone_route_hack.
#/bin/sh
# based on information found at
# http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
# http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
fake_router=192.168.1.254
public_net=65.38.103.0
router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
# send some data to the real network router so we look up it's arp address
ping -sn $router 1 1 >/dev/null
# record the arp address of the real router
router_arp=`arp $router | nawk '{print $4}'`
# delete any existing arp address entry for our fake private subnet router
arp -d $fake_router >/dev/null
# assign the real routers arp address to our fake private subnet router
arp -s $fake_router $router_arp
# route our private subnet through our fake private subnet router
route add default $fake_router
# Can't create this route until the zone/interface are loaded
# Adjust this based on your hardware and number of zones
sleep 300
# Duplicate this line for every non-global zone with a private ip that
# will have ipfilter rdr (redirects) pointing to it
route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
The following /etc/ipf/ipf.conf defaults to deny.
# ipf.conf
# IP Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# INCOMING DEFAULT DENY
block in all
block return-rst in proto tcp all
# two open ports one of which is redirected in ipnat.conf
pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
# INCOMING PING
pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
# INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
#pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
# OUTGOING RULES
block out all
# ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
# remove/edit as needed to actually talk to local private physical networks
block out quick from any to 192.168.0.0/16
block out quick from any to 172.16.0.0/12
block out quick from any to 10.0.0.0/8
block out quick from any to 0.0.0.0/8
block out quick from any to 127.0.0.0/8
block out quick from any to 169.254.0.0/16
block out quick from any to 192.0.2.0/24
block out quick from any to 204.152.64.0/23
block out quick from any to 224.0.0.0/3
# Allow traffic out the public interface on the public address
pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
# Allow traffic out the public interface on the private address (needs nat and router arp hack)
pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
# INCOMING TRACEROUTE FIX PART 2
#pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.

Instead of using the script as a legacy_run script, set it up in SMF.
First create the file /var/svc/manifest/system/ip-route-hack.xml with
the following
---Start---
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='NATtrans:ip-route-hack'>
<service
name='system/ip-route-hack'
type='service'
version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency
name='physical'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/physical:default' />
</dependency>
<dependency
name='loopback'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/loopback:default' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/svc-ip-route-hack start'
timeout_seconds='0' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring'
value='transient' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
Hack to allow zone to NAT translate.
</loctext>
</common_name>
<documentation>
<manpage
title='zones'
section='1M'
manpath='/usr/share/man' />
</documentation>
</template>
</service>
</service_bundle>
---End---
then modify /var/svc/manfiest/system/zones.xml and add the following
dependancy
---Start---
<dependency
name='inet-ip-route-hack'
type='service'
grouping='require_all'
restart_on='none'>
<service_fmri value='svc:/system/ip-route-hack' />
</dependency>
---End---
Finally create the file /lib/svc/method/svc-ip-route-hack with the
contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
import /var/svc/manifest/system/zones.xml'.
This will guarantee that ip-route-hack is run before zones are started,
but after the interfaces are brought on line. It is worth noting that
zones.xml may get overwritten during a patch, so if it suddenly stops
working, that could be why.

Router/gateway mode and NAT

In a posting in this site, it was suggested that NAT replaces router/gateway mode as used on the WRT54GS. I am wondering if that is correct.
Why? I have a WRT54GS (firmware v4.71.4, Oct. 31, 2007).
This works:
I have a class C IP block (full 256 addresses). I have the WAN side set up with
xxx.yyy.zzz.129 wan address
255.255.255.128
xxx.yyy.zzz.254 (default gateway)
(this forces the WAN side to just use the high 128 addresses - I am only using 129)
then, for the router IP, I have
xxx.yyy.zzz.15
255.255.255.0
and DHCP is
xxx.yyy.zzz.90 and 20 users
The LAN side uses the low 128 addresses.
This all works. I have the WRT set up as a Gateway (not Router)
HOWEVER,
I tried this on an Asus 56U box which has the NAT setting but no router/gateway mode and it won't allow the xxx.yyy.zzz block to be used on both the WAN and LAN sides. Is the Asus broken or is your answer wrong?
Why was I looking at the Asus? Someone recommended it to me. I would be happy to use a Linksys box instead if you can tell me which one would support the router/gateway mode.
My WRT54GS is working fine but I now have a Verizon Net Connect boax that uses VPN and VoIP and am getting a lot of delay.
I was thinkning that a newer box might be faster.
Thanks!!

I've seen some of the new routers with cisco/linksys that it does have the capability for NAT to be disabled if that is what you are looking for. But I agree with the person above me.

Joining a work network using wireless and proxy servers

Hi,
I have just arrived at a new work location, where we have an afterhours user network that we can connect to in our accommodation. I have had continual trouble trying to connect to the network, and have taken my MacBook to the geeks who provide the network. They can't fix the problem either (and are reluctant to as they don't like Mac's).
The problem is exactly as follows:
My airport instantly identifies the network. I need a password to connect to the network name, and this seems to work, but when I run the diagnostics it shows that the airport, airport settings and network settings are all green; but ISP, internet and server are red and failed.
Next I click on advanced, and the geeks informed me that I need to set up a Web Proxy (HTTP), Secure Web Proxy (HTTPS), FTP Proxy and SOCKS Proxy. They have all been done correctly with the same login and password (which was provided by the geeks). Now they have watched me do this and tried themselves, and they tell me it is correct and has worked previously on other peoples Mac's this exact way.
But for some reason after applying all this and even restarting the computer just incase, the ISP and onwards still fail to connect.

The good news is that the basic roaming network setup is the same with the newer 6.x version of the AirPort Utility.
Here are some step-by-step instructions using the 6.x version of the AirPort Utility.
First, there are a few key elements to successfully configuring a roaming network, and they are:
All of the base station must be interconnected by Ethernet. Note: You can use non-Apple routers in this type of network.
All base stations must have unique Base Station Names.
All base stations must use the same Radio Mode and Wireless Security Type/Password.
Each base station should be on a different Radio Channel. Using "Automatic" works well here.
All base stations, other than the "main" base station, must be reconfigured as a bridge.
Let's start with the "main" base station. This will be the one directly connected to the Internet modem:
AirPort Utility > Select the "main" base station > Edit
Base Station tab > Base Station Name > Enter a unique name here
Internet tab > Connect Using: DHCP
Wireless tab > Network Mode: Create a wireless network > Wireless Network Name > Enter the desired name. This will be used on all base stations > Wireless Security: WPA2 Personal (recommended) > Wireless Password > Enter the desired wireless password. This will be used on all base stations.
Network tab > Router Mode: DHCP and NAT
Click on Update
For each additional base station added to the roaming network:
AirPort Utility > Select the appropriate base station > Edit
Base Station tab > Base Station Name > Enter a unique name here
Internet tab > Connect Using: DHCP
Wireless tab > Network Mode: Create a wireless network > Wireless Network Name > Enter the desired name. This will be used on all base stations > Wireless Security: WPA2 Personal (recommended) > Wireless Password > Enter the desired wireless password. This will be used on all base stations.
Network tab > Router Mode: Off (Bridge Mode)
Click on Update

Loosing internet when in DHCP and NAT mode

Hello and thank you for your help. I am a novice.
I am using a 2009 macbook pro 10.7.5 with Mountain Lion
Originally my airport extreme setup was for " DHCP and NAT ".
Since yesterday, I am only able to get internet via Bridge mode, but I have to sign in to my server network first, like a hotspot
This means that my internet timing is limited and the finder shows other personal computers that does not belong to my personal network. My iphone cannot connect to my personal network without signing in the internet service provider website first as well
What happens when I try to update and restart AE to DHCP and NAT, is that I loose internet and get the following message in the airport extreme icon :
"DOUBLE NAT:
This airport base station has a private IP address on its Ethernet WAN port.
It is connected to a device or network that is using NAT to provide IP addresses.
Change your Airport base station from using DHCO and NAT to bridge mode."
Now, I do not want bridge mode
My attempt to solve the problem was resetting AE to factory. This created a new network. The new network appears in the network icon and it is WPA2 personal protected, like the previous one.
I appreciate your time and look foreward to solve my problem with some help in here - thank you again

Originally my airport extreme setup was for " DHCP and NAT ".
If it was, and you had a modem/router or gateway type of device "upstream" on the network, then you created a Double NAT error on the network.
Sometimes, you can get away with this on a simple network, and AirPort Utility does provide the option to "ignore" the error on the network, so the AirPort Extreme will display a green status light.....instead of blinking amber, which signals that something is amiss.
"DOUBLE NAT:
This airport base station has a private IP address on its Ethernet WAN port.
It is connected to a device or network that is using NAT to provide IP addresses.
Change your Airport base station from using DHCO and NAT to bridge mode."
If you want to run in DHCP and NAT mode, you will have a Double NAT error on the network. Click the option to "ignore" the error.
Then, power cycle the entire network. That means powering everything off, waiting a minute, then starting the modem first and let it run a minute or two, then start the next device the same way. Keep starting devices one at a time about a minute apart until the entire network is back up.

Question connecting iphone 4s wifi using SSID and WEP where do I

Question, I am trying to connect my iphone 4s to a wireless router using SSID and WEP. I have entered the MAC Address on the phone into the Router's Security list.
I think that I also need to enter a code or passphrase on to the phone as well.
Does anyone know how this is done and where do I do it?
Thank you in advance.

Check the wireless security option of your Wi-Fi router:
If you are using WEP security and have multiple WEP keys on your Wi-Fi router, try configuring your Wi-Fi router to use only a single WEP key in key index 1.
Consider using WPA or WPA2 instead. WPA and WPA2 encryption protocols are newer, more effective security options for wireless networks than the older WEP protocol.

Internal DNS server and NAT routing issue.

Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
Thanks

Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

ASA9.1 how to use route-lookup instead of "NAT-lookup" for egress interface on non-identity NAT

Hi,
I have an ASA firewall with three interfaces, inside, outside and Link.
I have a situation where I need the ASA to perform the following nat rules:
from "Inside" to "Link" - any source to destination 192.168.51.0/24 - translate source to 10.0.0.19
from "inside" to "outside" - any source to any destination - translate source to "interface" (internet navigation)
from "inside" to "outside" any source to 192.168.51.0/24 - translete source to 10.0.0.17
This is what I am trying to get working:
nat (any,TEF) source dynamic any 130.130.0.19_nat destination static obj_192.168.51.0 obj_192.168.51.0
nat (any,outside) source dynamic any 130.130.0.17_nat destination static obj_192.168.51.0 obj_192.168.51.0
The problem is that the "outside" route to 192.168.51.0 is an alternative route over a VPN tunnel. I'm using sla monitor, so when the "Link" interface is out, the route table changes the network 192.168.51.0/24 to be reachable over the outside interface. but ASA is using the NAT rule to perform "egress interface lookup" instead of route-lookup.
I know about the command route-lookup on the NAT configuration, but I need to translate the source address and when I try to use the route-lookup command I get an error message:
ERROR: Option route-lookup is only allowed for static identity case
Anybody has some suggestion?
Thanks

Hi Julio,
Thank you for the reply.
It didn't work either.
Here are the options I get when I use the specific interfaces (using "source dynamic"):
configure mode commands/options:
description Specify NAT rule description
inactive Disable a NAT rule
net-to-net Net to net mapping of IPv4 to IPv6
service NAT service parameters
If I try to use source static:
nat (inside,TEF) source static inside_nat 130.130.0.19_nat destination static obj_192.168.51.0 obj_192.168.51.0 route-lookup
ERROR: Option route-lookup is only allowed for static identity case

I lost my connection when I was using internet and when I want to reconnect to airport it give me connection timeout error, I changed my password on router but still doesn't work. How can i fix my problem?

Hi,
I lost my airport connection when I was using internet and when I wanted to re-reconnect to airport it gave me connection timeout error, I changed my password on router but still doesn't work. How can i fix my problem?

Hello there hastibahreini,
It sounds like you were using your Wi-Fi network from your Airport base station and the connection cut out. You have reset the password on the device but the issue persists. I would try the 3 resets outlined in the following article in order to help resolve the issue. If it persists, is the Wi-Fi connection issue happening on more than one device or computer?
Resetting an AirPort base station FAQ
http://support.apple.com/kb/ht3728
Thank you for using Apple Support Communities.
Cheers,
Sterling

I have recently started a solaris. I have a solaris using 64x and 86x systems and have java. The machine is very active and is very quick. I am happy so far with its performance and think its worthwhile to continue with my projects. That's all I have to s

I have recently started a solaris. I have a solaris using 64x and 86x systems and have java. The machine is very active and is very quick. I am happy so far with its performance and think its worthwhile to continue with my projects. That's all I have to say.
John Lupton

I have recently started a solaris. I have a solaris using 64x and 86x systems and have java. The machine is very active and is very quick. I am happy so far with its performance and think its worthwhile to continue with my projects. That's all I have to say.
John Lupton

My mac can't connect to belkin router? My mac can connect but I still can't surf the net? Help Please... This is my first time to use mac and belkin.

My mac can't connect to belkin router? My mac can connect but I still can't surf the net? Help Please... This is my first time to use mac and belkin.

Is it Wireless you're trying to connect with?
Which Mac?
So we know more about it...
At the Apple Icon at top left>About this Mac, then click on More Info, then click on Hardware> and report this upto but not including the Serial#...
Hardware Overview:
Model Name: iMac
Model Identifier: iMac7,1
Processor Name: Intel Core 2 Duo
Processor Speed: 2.4 GHz
Number Of Processors: 1
Total Number Of Cores: 2
L2 Cache: 4 MB
Memory: 6 GB
Bus Speed: 800 MHz
Boot ROM Version: IM71.007A.B03
SMC Version (system): 1.21f4

Router NME IPS - use promiscuous and inline mode simultaneous

Hi all,
we are using the IPS module NME-IPS-K9 on a Cisco 2951 router. We like to use the IPS in promiscuous and inline mode simultaneous. For example traffic from a client to a server should pass through the IPS. But the IPS should only recieve a copy of the VoIP traffic.
In the interface configuration mode the following command is set.
     ids-service-module monitoring promiscuous access-list 101
If I try to set a interface to inline mode I get the following message:
     "Only either Inline or Promiscuous
     monitoring is supported on the router at one time.
     Please remove Promiscuous monitoring on all interfaces
     before configuring Inline monitoring. Only either Inline or Promiscuous
     monitoring is supported on the router at one time.
     Please remove Promiscuous monitoring on all interfaces
     before configuring Inline monitoring."
Is there any way to use promiscuous and inline monitoring at the same time? Is there a firmware update available which includes this feature? Any other idears?
IOS version of the router: 15.0(1)M4
IPS version: 7.0(2)E4
Kind Regards

In promiscuous mode your sensor doesn't affect the traffic but it only listen and analyze it.
In inline mode you direct all your traffic on this network segment you want to protect to IPS and it analyze it and block some actions according to your settings.
It is the main difference. Which mode to prefer must be your decision.

I have a Cisco/Linksys WRT-54G wireless router and 2 Airport Extremes (the small ones that plug directly into the wall). Is it possible to extend the network from the router using these two AEs? I have a DVD player and Ext HD plugged into the router too..

I have a Cisco/Linksys WRT-54G wireless router and 2 Airport Extremes (the small ones that plug directly into the wall). Is it possible to extend the network from the router using these two AEs? I have a DVD player and Ext HD plugged into the router too. Any ideas? I'm guessing the only way is to do what I've seen in these community pages which states that it can be done but it will drop the bandwidth by 50%. Thoughts?? Thanks!

The Cisco/Linksys WRT-54G was one of the very few routers said to be compatible with Apple's implementation of WDS (Wireless Distribution System) settings.
The info that I have on file indicates that only the WRT-54G versions 4 and under were compatible, so that would be one bridge to cross.
Even if you find that your Cisco/Linksys might be the right version, Apple never published instructions on how to configure the Express devices with other manufactures, so users were left to their own devices to try to figure out how to get things working. Apple's instructions to connect to other Apple devices are in the link below:
WDS network
If you were hoping to use 2 Express devices in this type of configuration...even if it works...the bandwidth penalties will be extremely severe.
The first Express drops the bandwidth (and speed) on the entire network in half and the second halves everything again. So, the result, in effect would be a "g" wireless network running at 25% speed. Few users would consider installing this type of network.
At this point, it becomes one of those things where the fact that you might be able to do something does not mean that there would be much value in doing so. But, it is your decision to decide if you want to try to proceed.

Cisco ASA 5505 - outside can't DHPC as router use same range

Hi
Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC.
(Or i guess its not as the router use the same ip range as ASA does inside).
I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside".
So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".
I tried to change the inside range of the ASA but if I change the inside IP i loose connection.
(Had to restore factory-default useing the console).
I guess I could setup another range using the console, but how?
How can I setup this test net?

If I need to save I did not. (I have not used the console before).
Found the: "write memory" and reload command.
I cant connect to the asa using ADSM-IDM Launcher (from PC connected to the inside lan).
It seems that the asa DHPC server does not work.
And: show running-config
ciscoasa# show running-config
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
no ip address
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5085ad55b43198c7490b2edfee450906
: end

ASA5505 SOHO public ip range and nat head ache

Hello
Can anyone shed some ligh on a problem im having. We have setup a ASA 5505 with an ISP called Zen that allocates you a subnet of public ip addresses. i have sucessfully setup the asa to access the internet using nat on the outside interface. we would like to use the other ip addresses in the range for other services but i cannot think how i can do this/configure this.
LAN > ASA5505 > VDSL Modem > ISP
the range they have given us is
Number of IP addresses: 8
IP addresses: XX.XX.XXX.40 - XX.XX.XXX.47
Subnet mask: 255.255.255.248
Subnet in slash notation: XX.XX.XXX.40 /29
Network address: XX.XX.XXX.40
XX.XX.XXX.41
XX.XX.XXX.42
XX.XX.XXX.43
XX.XX.XXX.44
XX.XX.XXX.45
XX.XX.XXX.46 Router
Broadcast address: XX.XX.XXX.47
Router address: XX.XX.XXX.46
i have setup XX.XX.XXX.46 on the otside interface and hosts inside can access the net and nat from the internet to internal devices all work.
we have a vdsl modem connected to the outside interface and using PPPoE we dynamically get the XX.XX.XXX.46/32 address.
Is there any way i can use the other spare addresses? i do see how i can use them. i have done a lot of browsing and the only way i see that other people have been able to do this is using a layer3 device and using ip unnumber of the external int point to a loopback,
any info or advice would be gratefully received.
regards
C.

Hello
the version is Cisco Adaptive Security Appliance Software Version 9.2(2)4
debugging icmp i see pings to the .46 address however i see no pings/traffic received on the asa for the other addresses. how does zen know to route the xx.xx.xx.41 to .45 ip addresses to the firewall using the .46 address?
the nat rules i have are
nat (Vlan200_Int,Outside_Dirty_Int) dynamic interface < this works for lan access to the internet
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp www 65100
nat (Vlan200_Int,Outside_Dirty_Int) static xx.xx.xx.45 no-proxy-arp service tcp https 65101
access-list Outside_Dirty_Network_access_in extended permit tcp object Click_PC object ESXi object-group DM_INLINE_TCP_7
object-group service DM_INLINE_TCP_7 tcp
port-object eq 902
port-object eq www
port-object eq https
thanks for the help

Solaris 10 as router using ipfilter and nat

Similar Messages

Maybe you are looking for